Certified Incident Handler (CIH) Practice Ecam

Which of the following signs is an indicator of a Windows-based Azure security incident?

• A. Unusual execution of double extension file in Azure virtual machine
• B. Frequent updates to operating system
• C. Consistent user logins
• D. Use of built-in security protocols

The correct answer is: Unusual execution of double extension file in Azure virtual machine

An unusual execution of a double extension file in an Azure virtual machine is indeed a strong indicator of a potential security incident in a Windows-based environment. Double extension files (e.g., a file named "document.pdf.exe") can be a tactic used by attackers to disguise malicious files as benign ones. When files with multiple extensions are executed, it often signifies an attempt to bypass security mechanisms, as users or administrators may not recognize the actual file type and its potential danger. In the context of Azure and Windows, the presence of such files could indicate that an attacker is trying to exploit vulnerabilities within the virtual machine or deploy malware. Monitoring for execution of these files is essential for incident detection and response, making this a crucial sign of unusual activity that could point to a security breach. Frequent updates to the operating system may reflect normal maintenance or security efforts and do not normally indicate a security incident on their own. Likewise, consistent user logins are expected behavior in a controlled environment and would not typically raise alarms unless accompanied by other suspicious activity. The use of built-in security protocols is also a standard practice aimed at protecting systems and does not indicate a security incident by itself. In summary, the unusual execution of a double extension file is a clear and concerning indicator